Configuring static routes and enabling BGP on FortiGate NVAs
Following is an overview of how to configure static routes:
- On the Azure portal, confirm and note the private address space for the virtual WAN hub. See Confirming the private address space of the vWAN hub.
- On FortiManager, retrieve subnet information from the managed FortiGate NVAs. See Retrieving subnet information from FortiGate NVAs.
- On each FortiGate NVA, configure the static route. See Configuring the static route on each FortiGate NVA.
- On FortiGate, verify BGP communication between FortiGate NVAs. See Verifying BGP communication between FortiGate NVAs.
Confirming the private address space of the vWAN hub
The private address space of the vWAN hub is needed to create a summary route from the private address range to the secondary interfaces of the FortiGate NVAs, unless there is a more specific, connected route to establish BGP peering. The BGP peers are already configured and ready to go online after the route is enabled.
To confirm the private address space of the vWAN hub:
- On Azure portal, select the virtual WAN hub.
- On the Overview pane, note the Private address space.
Retrieving subnet information from FortiGate NVAs
We will connect to the CLI for one of the managed FortiGate NVAs and look at port2 to locate and note the first IP address of the subnet on the FortiGate. The first IP address will be the local gateway for communicating with the virtual WAN hub routers.
To retrieve the subnet information from FortiGate NVAs:
- From FortiManager, connect to the CLI for one of the FortiGates by using SSH:
- Go to Device Manager > Device & Groups, and select a FortiGate NVA in the tree menu. The Device Dashboard for the selected device is displayed.
- On the Dashboard > Summary pane, go to the System Information widget, and click the Connect to CLI via SSH button.
The Connect CLI via SSH dialog box is displayed.
- In the Admin Name box, type the administrator name used to deploy the FortiGate NVA on Azure, and click OK. The CLI Console of <device name> dialog box is displayed.
- Type the password used to deploy the FortiGate NVA on Azure, and press
Enter. - In the CLI console, run the
get system interfacecommand, and look at the results forport2.In the following example, the first IP of the subnet is
10.80.112.1.(In this example, the administrator's IP address is 10.80.112.5, and they have a /25 mask, which makes the network address 10.80.112.0, and the first IP, which Azure assigns to the virtual switch, is 10.80.112.1)
Configuring the static route on each FortiGate NVA
On each FortiGate VM, configure static routing to the virtual hub routers through the virtual switch. While creating static routes, we also need a route to respond to the Azure load balancer probes, which come in from IP address 168.63.129.16.
To configure the static route on each FortiGate NVA:
- From FortiManager, connect to the CLI for one of the FortiGates by using SSH.
- Run the following commands on a FortiGate NVA in the device group:
config router static edit 0 set dst 10.80.0.0/16 set gateway 10.80.112.1 set device port2 next edit 0 set dst 168.63.129.16/32 set distance 5 set gateway 10.80.112.1 set device port2 endNote the peer IP address for port2.
- Repeat the commands on each FortiGate NVA in the device group.
Verifying BGP communication between FortiGate NVAs
After configuring the static route on all FortiGate NVAs, BGP peering is automatically enabled, and you can verify BGP communication.
To verify BGP communication between FortiGate NVAs:
- On the FortiGate NVA, run the
get router info bgp summarycommand.
If configured correctly, the address space from the Peering a vNET to the virtual WAN hub section should be propagated as well.